How To Rebuild The Squid 2.6 Debian Package with Support For X-Forwarded-For Headers

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Submitted by falko (Contact Author) (Forums) on Mon, 2008-12-15 16:47. :: Debian

How To Rebuild The Squid 2.6 Debian Package with Support For X-Forwarded-For Headers

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 11/27/2008

This article describes how you can rebuild the Squid 2.6 package for Debian Etch with support for X-Forwarded-For headers - this feature is not enabled in the default Debian Etch Squid package. This feature is useful if you are using Squid as a reverse proxy for your web site and are using a load balancer (such as HAProxy) in front of Squid - it allows us to track the client's original IP address instead of the load balancer's IP address (which to Squid appears as the client).

From the Squid documentation:

Requests may pass through a chain of several other proxies before reaching us. The X-Forwarded-For header will contain a comma-separated list of the IP addresses in the chain, with the rightmost address being the most recent. If a request reaches us from a source that is allowed by this configuration item, then we consult the X-Forwarded-For header to see where that host received the request from. If the X-Forwarded-For header contains multiple addresses, and if acl_uses_indirect_client is on, then we continue backtracking until we reach an address for which we are not allowed to follow the X-Forwarded-For header, or until we reach the first address in the list. (If acl_uses_indirect_client is off, then it's impossible to backtrack through more than one level of X-Forwarded-For addresses.)

The end result of this process is an IP address that we will refer to as the indirect client address. This address may be treated as the client address for access control, delay pools and logging, depending on the acl_uses_indirect_client, delay_pool_uses_indirect_client and log_uses_indirect_client options.

You can use the following configuration options in squid.conf if the feature is enabled:

  • follow_x_forwarded_for
  • acl_uses_indirect_client
  • delay_pool_uses_indirect_client
  • log_uses_indirect_client

I do not issue any guarantee that this will work for you!

 

Rebuilding Squid

First we install some compilers and development tools:

apt-get install devscripts build-essential fakeroot

Next we install the Squid source package...

cd /usr/src
apt-get source squid

... and the dependencies for building a new Squid package:

apt-get build-dep squid

Then we go to the debian directory within the Squid directory...

cd squid-2.6.5/debian

... and open the rules file:

vi rules

There you should find a section that starts as follows...

# Configure the package.
config.status:

        $(opt_ac_cv_func_setresuid) \
        ./configure \

... followed by Squid configuration options. Add the line --enable-follow-x-forwarded-for \ to the configuration options so that the section looks as follows:

[...]
# Configure the package.
config.status:

        $(opt_ac_cv_func_setresuid) \
        ./configure \
        --prefix=/usr \
        --exec_prefix=/usr \
        --bindir=/usr/sbin --sbindir=/usr/sbin \
        --libexecdir=/usr/lib/squid \
        --sysconfdir=$(sysconfdir) \
        --localstatedir=/var/spool/squid \
        --datadir=/usr/share/squid \
        $(with_pthreads) \
        $(with_netfilter) \
        $(with_arp_acl) \
        $(with_epoll) \
        --enable-removal-policies=lru,heap \
        --enable-snmp \
        --enable-delay-pools \
        --enable-htcp \
        --enable-cache-digests \
        --enable-underscores \
        --enable-referer-log \
        --enable-useragent-log \
        --enable-auth="basic,digest,ntlm" \
        --enable-carp \
        --enable-follow-x-forwarded-for \
        --with-large-files \
        $(DEB_HOST_ARCH_CPU)-debian-$(DEB_HOST_ARCH_OS)
[...]

Next go up one directory...

cd ..

... and start the building process:

./configure
debuild -us -uc -b

Afterwards, go to the /usr/src directory...

cd /usr/src

... and run

ls -l

You should find new Squid .deb packages:

server1:/usr/src# ls -l
total 3332
drwxr-xr-x 15 root root    4096 2008-11-26 01:14 squid-2.6.5
-rw-r--r--  1 root src   273063 2008-11-26 00:41 squid_2.6.5-6etch4.diff.gz
-rw-r--r--  1 root src      432 2008-11-26 00:41 squid_2.6.5-6etch4.dsc
-rw-r--r--  1 root src   143884 2008-11-26 01:14 squid_2.6.5-6etch4_i386.build
-rw-r--r--  1 root src     1135 2008-11-26 01:14 squid_2.6.5-6etch4_i386.changes
-rw-r--r--  1 root src   655604 2008-11-26 01:14 squid_2.6.5-6etch4_i386.deb
-rw-r--r--  1 root src  1636886 2006-11-06 12:32 squid_2.6.5.orig.tar.gz
-rw-r--r--  1 root src   117120 2008-11-26 01:14 squid-cgi_2.6.5-6etch4_i386.deb
-rw-r--r--  1 root src    86132 2008-11-26 01:14 squidclient_2.6.5-6etch4_i386.deb
-rw-r--r--  1 root src   442218 2008-11-26 01:14 squid-common_2.6.5-6etch4_all.deb
server1:/usr/src#

Pick the squid and squid-common packages and install them as follows:

dpkg -i squid_2.6.5-6etch4_i386.deb squid-common_2.6.5-6etch4_all.deb

That's it - now Squid supports X-Forwarded-For headers.

 

Links


Copyright © 2008 Falko Timme
All Rights Reserved.
add comment | view as pdf view as pdf | Display a printer-friendly version of this page. print |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Sponsored Links: Unified Communications: Thoughts, Strategies and Predictions
Join the discussion.
www.seamlessenterprise.com

IP Convergence
Integrate your wireless and wireline networks.
Learn how from the experts at Sprint.
www.seamlessenterprise.com

Wireless & Wireline Integration
Thoughts, strategies and solutions: join the discussion
www.seamlessenterprise.com

Unified Communications 2009
Join the Discussion. Now.
www.seamlessenterprise.com